There seems to be a trend at EH.net where an experienced member will indicate what a world class pentester, malware analyst, etc needs to do their job. For the newbies here, of which I sometimes qualify, it can be very easy to get discouraged at the mountain of knowledge necessary that seems insurmountable. Sure, those lists are ideal but there are hundreds if not thousands of people working in these fields with a small subset of this entire knowledge and many of them are providing excellent value for their customers. And yes, some of them are charlatans. I was talking to an IBM ISS pentester the other day who told me many of the people on his team don't write exploits. they have people who can of course, but not everyone on the team has those skills and quite often the engagement does not allow time for it anyway. The point here is that in many cases it's a team environment. Not every person has to be able to be a ninja in every area. I think it's helpful to define a bare minimum baseline and I have seen some posts that do that and appreciate that but sometimes I think even that baseline gets set a little high.

The purpose of this post is not to discourage these "end game" threads or criticize those who have compiled these lists because that information is extremely valuable, but more to provide some encouragement to our less experienced folks. You have to start somewhere. Don't be scared. Take the leap!

tturner makes some excellent points. You don't have to know the industry full circle (writing exploits, AND exploiting machines, AND analyzing the post forensics, AND etc, etc,) but it will help you understand as much as you can, which 1) makes you more valuable to a company 2) helps make your own job easier

On my RWSP review, I believe I pointed out the need for "teamwork" in order to pass that exam. There can BE NO all inclusive expert however, there can be those who are versatile. This is one of the reasons I'm a stickler for understanding things from the ground up (http://www.ethicalhacker.net/component/ ... /#msg34503). The more you know, the better prepared you will be.

It all boils down to "determine what it is you want to do." If you want to focus on exploit writing, so be it, as I explained in the Assembly post (http://www.ethicalhacker.net/component/ ... /#msg34507) there is A LOT of overlap in many fields. Certainly understanding as much as you can from the core level will help you. NO ONE and I mean NO ONE I have come across is an expert in all levels of security. While I may know some bad ass exploit writers, fact is, they'll often suck initially at response/forensics because they haven't been exposed. However, they do have the capacity to figure things out if they understand other aspects of the OSI (networking, process intercommunications, etc)

So tturner makes some excellent points to those in this arena. I'm always (rinse and repeat... ALWAYS) trying to learn something, anything while ALWAYS retaining knowledge of the underlying scope...

SOAP, XML, JAVA, ASP, C# do you think I know these areas enough to make a career in the field, heck no. But I do know enough to state they all have the same fundamentals: they're networked and they either receive or send data somehow. Now I need to figure out how and why. Forget trying to program in the language, I just need a bare understanding of the interprocessing of the application from the host and network layers. The rest is what Google is for.

To add more to tturners excellent post, I will say this... DO NOT BE INTIMIDATED BY ANYONE or ever feel "I will never get to that level." 1) There is no level, there is only what you're willing to learn - with that said, you are either your best friend or your own anchor. 2) Read, read, read, break break break and FIX FIX FIX. In doing so, you're exposing yourself to many processes in the mix. Even purposefully misconfiguring machines is a learning experience! 3) Have fun. When you view the field as a fun, challenging game, it becomes more interesting. I play Chess against myself... I do my best not to deceive myself but play as I were competing against myself. It's a PITA but the experience allows me to go back and remember what I was thinking at the time, what I intended on doing, how I would have done things differently.

So when I POST something like: "This is what I would do..." it's a suggestion based on experience I may have in the industry. What worked for me. I in no shape form or fashion try to discourage anyone in fact, I would hope that I do the opposite (encourage) those to look at things differently from the ground up.

Baby steps are the key of every big successes. I rate myself about 4/10 on where I want to be, but last year, I was at 2/10, so I am happy!

That being said, I and many others on this forum try to ask newcomers to be a little bit more precise. Like in the Assembly post mentioned by sil above, we asked the guy what he really wanted to do. Then we try to adapt our language and help him as much as we can.

But that being said, we are all grown adults here. If someone's goal is to reverse-engineer malware, learning these skills will not happen overnight. Same as forensic investigator, like it has been posted on this site about a month ago, when you bring someone to court, you better know what you are doing. Samething with a pen test, before you can feel confident that the server/network/application cannot be hacked, you need a lot of experience.

Maybe it is because I have been in tne infantry, but I am more for telling the plain truth BUT doing so by being encouraging and by helping and guiding people. I myself really want to know what I am against to before starting...

Also, to me, it depends on the topic the thread is about. Questions like "I am new to the field and want to get advice on getting prepared for CEH" is not the same as "I have written about 20 exploits so far and I need advice on creating a new Metasploit payload". The answers will be totally different on this forum.

So my view on this is like you tturner, jump in and discover this fascinating world, on step at the time. But at the same time, I feel that this forum is probably the "easiest" at newcomers on the entire web. Anyway, when I started posting here a year ago, I didn't felt discouraged at all. In fact, I was (and still) saying "thanks a lot for this awesome response" all the time!